[U-Boot] RSA in U-Boot

Sughosh Ganu sughosh.ganu at linaro.org
Thu May 16 07:23:21 UTC 2019


On Sat, 27 Apr 2019 at 12:03, Heinrich Schuchardt <xypron.glpk at gmx.de>
wrote:

> On 4/27/19 7:31 AM, Paolo Bonzini wrote:
> >
> >>>> I've done porting linux's pkcs7/x509 parsers and they work well
> >>>> with my UEFI secure boot patch, but I'm still looking for other
> options
> >>>> as well.
> >>>>
> >>>> * openssl
> >>>>    Most of existing components linked to UEFI secure boot, including
> >>>>    EDK2, shim and grub, reply on this library. Why not for U-Boot?
> >>>>    The size of U-Boot UEFI code in U-Boot is already quite big, and
> >>>>    so the size of openssl won't be a big issue.
> >>>> * mbedTLS
> >>>>    which is maintained by ARM and used with Zephyr, I guess it should
> >>>>    have small footprint. But it currently lacks pkcs7 parser.
> >>>>
> >>>> Any thoughts?
> >>>
> >>>
> >>> Paolo, Laszlo, Ard, if you could write a new secure boot implementation
> >>> today, which of the options above would you pick and why so? :)
> >>
> >> Difficult question. Ideally you'd want a library where three aspects
> met:
> >>
> >> - widely used (so that there is a diverse community that's interested in
> >> vulnerabilities, and fixing them too)
> >>
> >> - easy to cross-compile for your free-standing environment (optimally
> >> the upstream project would support being cross-compiled and packaged
> >> stand-alone, for that free-standing environment)
> >>
> >> - cares about API stability
> >>
> >> OpenSSL is very widely used...
> >> ...and that's where we can stop in the list :)
> >
> > It's also license-incompatible with U-Boot's GPLv2 I think.  I guess
> > grub can use it because GPLv3 and Apache v2 can be combined just fine.
> > Reusing Linux's code seems like the best match.
> >
> > Paolo
> >
>
> You could have a look at GnuTLS available at
> https://gitlab.com/gnutls/gnutls/ .
>
> PKCS7 is supported, cf.
> https://www.gnutls.org/manual/html_node/PKCS-7-API.html
>
> There seem to be four main contributors to GnuTLS adding two patches a day:
>
> https://github.com/gnutls/gnutls/graphs/contributors?from=2018-04-28&to=2019-04-27&type=a


There is LibreSSL as well which is a fork of openssl. Guess that too should
be fine. What would be the more preferred solution here. The relevant bits
can be imported from the kernel code into u-boot, or there can be a
solution with linking of ssl/tls library with u-boot. Which would be the
more preferred solution. It'd be great if the maintainers can comment on
this. Thanks.

-sughosh


More information about the U-Boot mailing list